Unusual Web Request

  1[metadata]
  2creation_date = "2020/03/25"
  3integration = ["endpoint", "network_traffic"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 50
  9author = ["Elastic"]
 10description = """
 11A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to
 12initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise
 13or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted
 14users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload.
 15When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for
 16command-and-control communication. When rare URLs are observed being requested for a local web server by a remote
 17source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers
 18which are part of common Internet background traffic.
 19"""
 20false_positives = [
 21    """
 22    Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical
 23    support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger
 24    this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this
 25    when they are used sparsely. Web domains can be excluded in cases such as these.
 26    """,
 27]
 28from = "now-45m"
 29interval = "15m"
 30license = "Elastic License v2"
 31machine_learning_job_id = "packetbeat_rare_urls"
 32name = "Unusual Web Request"
 33setup = """## Setup
 34
 35This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
 36- Elastic Defend
 37- Network Packet Capture
 38
 39### Anomaly Detection Setup
 40
 41Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 42
 43### Elastic Defend Integration Setup
 44Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 45
 46#### Prerequisite Requirements:
 47- Fleet is required for Elastic Defend.
 48- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 49
 50#### The following steps should be executed in order to add the Elastic Defend integration to your system:
 51- Go to the Kibana home page and click "Add integrations".
 52- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 53- Click "Add Elastic Defend".
 54- Configure the integration name and optionally add a description.
 55- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 56- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 57- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 58- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 59For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 60- Click "Save and Continue".
 61- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 62For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 63
 64### Network Packet Capture Integration Setup
 65The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.
 66
 67#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system:
 68- Go to the Kibana home page and click “Add integrations”.
 69- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it.
 70- Click “Add Network Packet Capture”.
 71- Configure the integration name and optionally add a description.
 72- Review optional and advanced settings accordingly.
 73- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.
 74- Click “Save and Continue”.
 75- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).
 76"""
 77references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 78risk_score = 21
 79rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9"
 80severity = "low"
 81tags = [
 82    "Use Case: Threat Detection",
 83    "Rule Type: ML",
 84    "Rule Type: Machine Learning",
 85    "Tactic: Command and Control",
 86    "Resources: Investigation Guide",
 87]
 88type = "machine_learning"
 89note = """## Triage and analysis
 90
 91> **Disclaimer**:
 92> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 93
 94### Investigating Unusual Web Request
 95The 'Unusual Web Request' detection leverages machine learning to identify rare URLs that deviate from typical web activity, potentially signaling malicious actions like initial access or data exfiltration. Adversaries exploit trusted sites by embedding uncommon URLs for payload delivery or command-and-control. This rule flags such anomalies, aiding in early threat detection and response.
 96
 97### Possible investigation steps
 98
 99- Review the alert details to identify the specific rare URL that triggered the detection and note any associated IP addresses or domains.
100- Check historical logs to determine if the rare URL has been accessed previously and identify any patterns or trends in its usage.
101- Investigate the source of the request by examining the user agent, referrer, and originating IP address to assess whether it aligns with known legitimate traffic or appears suspicious.
102- Analyze the destination of the URL to determine if it is associated with known malicious activity or if it has been flagged in threat intelligence databases.
103- Correlate the unusual web request with other security events or alerts to identify potential connections to broader attack campaigns or ongoing threats.
104- Assess the impacted systems or users to determine if there are any signs of compromise, such as unexpected processes, network connections, or data exfiltration attempts.
105- Consider reaching out to the user or system owner to verify if the access to the rare URL was intentional and legitimate, providing additional context for the investigation.
106
107### False positive analysis
108
109- Web scraping tools and bots can trigger false positives by making requests to uncommon URLs as part of routine internet background traffic.
110- Legitimate web scanning or enumeration activities by security teams may be flagged; these should be reviewed and whitelisted if verified as non-threatening.
111- Automated processes or scripts that access rare URLs for legitimate business purposes can be excluded by identifying and documenting these activities.
112- Frequent access to uncommon URLs by trusted internal applications or services should be monitored and added to exception lists to prevent unnecessary alerts.
113- Regularly review and update the list of excluded URLs to ensure it reflects current legitimate activities and does not inadvertently allow malicious traffic.
114
115### Response and remediation
116
117- Isolate the affected system from the network to prevent further communication with the suspicious URL and potential data exfiltration.
118- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove any malicious payloads or software.
119- Review and block the identified unusual URL at the network perimeter to prevent other systems from accessing it.
120- Analyze network logs to identify any other systems that may have communicated with the suspicious URL and apply similar containment measures.
121- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
122- Implement enhanced monitoring for similar unusual web requests across the network to detect and respond to potential threats more quickly in the future.
123- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to better detect and block uncommon URLs associated with command-and-control activities."""
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1071"
128name = "Application Layer Protocol"
129reference = "https://attack.mitre.org/techniques/T1071/"
130[[rule.threat.technique.subtechnique]]
131id = "T1071.001"
132name = "Web Protocols"
133reference = "https://attack.mitre.org/techniques/T1071/001/"
134
135
136
137[rule.threat.tactic]
138id = "TA0011"
139name = "Command and Control"
140reference = "https://attack.mitre.org/tactics/TA0011/"